Overview

One challenge we have seen and heard from our customers is being able to convert a Windows 7 or Windows 10 computer using Legacy BIOS to Windows 10 UEFI with Secure Boot. In this post, we are going to address a possible way this can done on a Lenovo ThinkCentre and ThinkPad computers in an automated fashion using MDT and WDS.

The scope of this solution will include:

PXE Boot to MDT WinPE Boot Image

Wipe and Load Only

No User Data Captured or Reloaded

Drive is re-partitioned and formatted as GPT instead of MBR

One disk – no multiple drive configurations

Select Think products:

ThinkPad Skylake models – all BIOS revisions

ThinkCentre – M700 Tiny, M800, M900, M900 Tiny, M900x Tiny

minimum BIOS Version FWKT57A

To set our settings in the BIOS, we will be using the Think BIOS Configurator from the bottom of this blog post. This tool also has the ability to capture settings, so if there are other settings that need to be applied, manually setting them and then capturing them on a donor computer is a good idea.

Configuring WDS

For the process to complete successfully we will need to reboot after applying the Secure Boot and PXE settings. To continue with the process we will need to boot back into a default boot image. Follow the steps below to set the MDT x64 Boot Image as the default x64 boot image and default x64 UEFI boot image.

In WDS, right click on the Server Name and select properties.

Click on the Boot tab.

In the Default boot image (optional) section, click the select button to the right of x64 architecture.

Select the MDT x64 boot image. If it is not there, please compile one and import it.

Repeat the steps for the X64 (UEFI) architecture.

MDT

MDT itself will require some settings to be set either in the CustomSettings.ini or in the database for the task sequence to be started automatically with no interaction.

Configure Share for Lenovo Scripts

In this example we will define some folders and create some scripts and ini files which will be referenced from Tasks that are added to the MDT task sequence. The share folder for this example is MDT2013U2.

Navigate to the Scripts folder and create a folder named Lenovo to contain all the necessary components for this example.

In the Lenovo folder, create a folder named BIOSConfig.

In the Lenovo folder, create a text file and name it CleanBootDrive.txt.

Condition:WMI Query: SELECT * FROM Win32_ComputerSystemProduct WHERE Version LIKE 'ThinkPad%'

Process

The intention is that once all of this is set up, the computer will be PXE booted and will select the x64 boot image. When the boot image loads, it will auto populate all information required to start an MDT deployment. At that point, it will go in to the default selected task sequence. After the task sequence is started, it will detect if the computer is already set for Secure Boot. If not, it will set the Secure Boot and Boot Order settings in the BIOS via WMI, clean the partitions on the drive using diskpart, and reboot. Since we set the LAN as first in the boot order, it then reboots back to the PXE server and loads the default x64 UEFI boot wim file. It will then bypass the selection to setup Secure Boot, since it is already set, and then set the boot order back to the Hard Disk Drive. Since Secure Boot switches the BIOS to UEFI only, the standard MDT task sequence steps will take over to format the disk as GPT and partition the disk via the normal steps with the Boot (EFI), MSR, Windows Primary (NTFS), and Recovery (NTFS) partitions. After this, the process to deploy Windows 10 should proceed as normal.

Comments

WMI Query: SELECT * FROM Lenovo_BiosSetting WHERE CurrentSetting Like 'Secure Boot,Disable%'WMI Query: SELECT * FROM Lenovo_BiosSetting WHERE CurrentSetting Like 'SecureBoot,Disable%'WMI Query: SELECT * FROM Lenovo_BiosSetting WHERE CurrentSetting Like 'Secure boot,Disable%'

shouldn't this be Secure boot,Disabled and Secure Boot,Disabled for ThinkCentre products? Also, the Lenovo BIOS config tool does not display secure boot settings for ThinkCentre M93p and ThinkCentre M83 models. When I declare Secure Boot,Enabled in the ThinkCentreSecBootPXE.ini it does not turn that setting on in BIOS

Yes, the ThinkCentre products do have a 'd' at the end. We keep pushing to get more consistency among our Think brands for this and hope to see improvements in the future. For the M93p and M83, please make sure you get the latest BIOS update. The Secure Boot setting in WMI was added by a BIOS update on those systems. If it's still missing, please post the details in our Enterprise Client Management Forum (http://lnv.gy/2nEVrNb).